1 '\" te
   2 .\" Copyright (C) 2008, Sun Microsystems, Inc. All Rights Reserved
   3 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License").  You may not use this file except in compliance with the License.
   4 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.  See the License for the specific language governing permissions and limitations under the License.
   5 .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE.  If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
   6 .TH SHARE_NFS 1M "May 6, 2009"
   7 .SH NAME
   8 share_nfs \- make local NFS file systems available for mounting by remote
   9 systems
  10 .SH SYNOPSIS
  11 .LP
  12 .nf
  13 \fBshare\fR [\fB-d\fR \fIdescription\fR] [\fB-F\fR nfs] [\fB-o\fR \fIspecific_options\fR] \fIpathname\fR
  14 .fi
  15 
  16 .SH DESCRIPTION
  17 .sp
  18 .LP
  19 The \fBshare\fR utility makes local file systems available for mounting by
  20 remote systems. It starts the \fBnfsd\fR(1M) and \fBmountd\fR(1M) daemons if
  21 they are not already running.
  22 .sp
  23 .LP
  24 If no argument is specified, then \fBshare\fR displays all file systems
  25 currently shared, including \fBNFS\fR file systems and file systems shared
  26 through other distributed file system packages.
  27 .SH OPTIONS
  28 .sp
  29 .LP
  30 The following options are supported:
  31 .sp
  32 .ne 2
  33 .na
  34 \fB\fB-d\fR \fIdescription\fR\fR
  35 .ad
  36 .sp .6
  37 .RS 4n
  38 Provide a comment that describes the file system to be shared.
  39 .RE
  40 
  41 .sp
  42 .ne 2
  43 .na
  44 \fB\fB\fR\fB-F\fR \fBnfs\fR\fR
  45 .ad
  46 .sp .6
  47 .RS 4n
  48 Share \fBNFS\fR file system type.
  49 .RE
  50 
  51 .sp
  52 .ne 2
  53 .na
  54 \fB\fB-o\fR \fIspecific_options\fR\fR
  55 .ad
  56 .sp .6
  57 .RS 4n
  58 Specify \fIspecific_options\fR in a comma-separated list of keywords and
  59 attribute-value-assertions for interpretation by the file-system-type-specific
  60 command. If \fIspecific_options\fR is not specified, then by default sharing is
  61 read-write to all clients. \fIspecific_options\fR can be any combination of the
  62 following:
  63 .sp
  64 .ne 2
  65 .na
  66 \fB\fBaclok\fR\fR
  67 .ad
  68 .sp .6
  69 .RS 4n
  70 Allows the \fBNFS\fR server to do access control for \fBNFS\fR Version 2
  71 clients (running SunOS 2.4 or earlier). When \fBaclok\fR is set on the server,
  72 maximal access is given to all clients. For example, with \fBaclok\fR set, if
  73 anyone has read permissions, then everyone does. If \fBaclok\fR is not set,
  74 minimal access is given to all clients.
  75 .RE
  76 
  77 .sp
  78 .ne 2
  79 .na
  80 \fB\fBanon=\fR\fIuid\fR\fR
  81 .ad
  82 .sp .6
  83 .RS 4n
  84 Set \fIuid\fR to be the effective user \fBID\fR of unknown users. By default,
  85 unknown users are given the effective user \fBID\fR \fBUID_NOBODY\fR. If
  86 \fIuid\fR is set to \fB\(mi1\fR, access is denied.
  87 .RE
  88 
  89 .sp
  90 .ne 2
  91 .na
  92 \fB\fIcharset\fR=\fIaccess_list\fR\fR
  93 .ad
  94 .sp .6
  95 .RS 4n
  96 Where \fIcharset\fR is one of: \fBeuc-cn\fR, \fBeuc-jp\fR, \fBeuc-jpms\fR,
  97 \fBeuc-kr\fR, \fBeuc-tw\fR, \fBiso8859-1\fR, \fBiso8859-2\fR, \fBiso8859-5\fR,
  98 \fBiso8859-6\fR, \fBiso8859-7\fR, \fBiso8859-8\fR, \fBiso8859-9\fR,
  99 \fBiso8859-13\fR, \fBiso8859-15\fR, \fBkoi8-r\fR.
 100 .sp
 101 Clients that match the \fIaccess_list\fR for one of these properties will be
 102 assumed to be using that character set and file and path names will be
 103 converted to UTF-8 for the server.
 104 .RE
 105 
 106 .sp
 107 .ne 2
 108 .na
 109 \fB\fBindex=\fR\fBfile\fR\fR
 110 .ad
 111 .sp .6
 112 .RS 4n
 113 Load \fBfile\fR rather than a listing of the directory containing this file
 114 when the directory is referenced by an \fBNFS URL\fR.
 115 .RE
 116 
 117 .sp
 118 .ne 2
 119 .na
 120 \fB\fBlog=tag\fR\fR
 121 .ad
 122 .sp .6
 123 .RS 4n
 124 Enables \fBNFS\fR server logging for the specified file system. The optional
 125 tag determines the location of the related log files. The \fBtag\fR is defined
 126 in \fBetc/nfs/nfslog.conf\fR. If no \fBtag\fR is specified, the default values
 127 associated with the \fBglobal\fR \fBtag\fR in \fBetc/nfs/nfslog.conf\fR is
 128 used. Support of NFS server logging is only available for NFS Version 2 and
 129 Version 3 requests.
 130 .RE
 131 
 132 .sp
 133 .ne 2
 134 .na
 135 \fB\fBnohide\fR\fR
 136 .ad
 137 .sp .6
 138 .RS 4n
 139 
 140 By default, if a server exports two filesystems, one of which is mounted as a
 141 child of the other, NFS Version 2 and Version 3 clients must mount both
 142 filesystems explicitly in order to access them. If a client only mounts
 143 the parent, it will see an empty directory at the location where the other
 144 filesystem is mounted.
 145 
 146 Setting the \fBnohide\fR option on a filesystem causes it to no longer be
 147 hidden in this manner, and a client will be able to move from the parent
 148 filesystem to this one without noticing the change. However, some NFS clients
 149 or applications may not function correctly when this option is used. In
 150 particular, files on different underlying filesystems may appear to have the
 151 same inode numbers.
 152 
 153 This option is equivalent to the option of the same name provided in \fBLinux
 154 NFS\fR, and only applies to NFS Version 2 and Version 3 requests.
 155 .RE
 156 
 157 .sp
 158 .ne 2
 159 .na
 160 \fB\fBnone=\fR\fIaccess_list\fR\fR
 161 .ad
 162 .sp .6
 163 .RS 4n
 164 Access is not allowed to any client that matches the access list. The exception
 165 is when the access list is an asterisk (\fB*\fR), in which case \fBro\fR or
 166 \fBrw\fR can override \fBnone\fR.
 167 .RE
 168 
 169 .sp
 170 .ne 2
 171 .na
 172 \fB\fBnosub\fR\fR
 173 .ad
 174 .sp .6
 175 .RS 4n
 176 Prevents clients from mounting subdirectories of shared directories. For
 177 example, if \fB/export\fR is shared with the \fBnosub\fR option on server
 178 \fIfooey\fR then a \fBNFS\fR client cannot do:
 179 .sp
 180 .in +2
 181 .nf
 182 mount -F nfs fooey:/export/home/mnt
 183 .fi
 184 .in -2
 185 .sp
 186 
 187 NFS Version 4 does not use the \fBMOUNT\fR protocol. The \fBnosub\fR option
 188 only applies to NFS Version 2 and Version 3 requests.
 189 .RE
 190 
 191 .sp
 192 .ne 2
 193 .na
 194 \fB\fBnosuid\fR\fR
 195 .ad
 196 .sp .6
 197 .RS 4n
 198 By default, clients are allowed to create files on the shared file system with
 199 the setuid or setgid mode enabled. Specifying \fBnosuid\fR causes the server
 200 file system to silently ignore any attempt to enable the setuid or setgid mode
 201 bits.
 202 .RE
 203 
 204 .sp
 205 .ne 2
 206 .na
 207 \fB\fBpublic\fR\fR
 208 .ad
 209 .sp .6
 210 .RS 4n
 211 Moves the location of the public file handle from \fBroot\fR (\fB/\fR) to the
 212 exported directory for Web\fBNFS\fR-enabled browsers and clients. This option
 213 does not enable Web\fBNFS\fR service; Web\fBNFS\fR is always on. Only one file
 214 system per server may use this option. Any other option, including the
 215 \fB-ro=list\fR and \fB-rw=list\fR options can be included with the \fBpublic\fR
 216 option.
 217 .RE
 218 
 219 .sp
 220 .ne 2
 221 .na
 222 \fB\fBro\fR\fR
 223 .ad
 224 .sp .6
 225 .RS 4n
 226 Sharing is read-only to all clients.
 227 .RE
 228 
 229 .sp
 230 .ne 2
 231 .na
 232 \fB\fBro=\fR\fIaccess_list\fR\fR
 233 .ad
 234 .sp .6
 235 .RS 4n
 236 Sharing is read-only to the clients listed in \fIaccess_list\fR; overrides the
 237 \fBrw\fR suboption for the clients specified. See \fIaccess_list\fR below.
 238 .RE
 239 
 240 .sp
 241 .ne 2
 242 .na
 243 \fB\fBroot=\fR\fIaccess_list\fR\fR
 244 .ad
 245 .sp .6
 246 .RS 4n
 247 Only root users from the hosts specified in \fIaccess_list\fR have root access.
 248 See \fIaccess_list\fR below. By default, no host has root access, so root users
 249 are mapped to an anonymous user \fBID\fR (see the \fBanon=\fR\fIuid\fR option
 250 described above). Netgroups can be used if the file system shared is using UNIX
 251 authentication ( \fBAUTH_SYS\fR).
 252 .RE
 253 
 254 .sp
 255 .ne 2
 256 .na
 257 \fB\fBroot_mapping=\fIuid\fR\fR\fR
 258 .ad
 259 .sp .6
 260 .RS 4n
 261 For a client that is allowed root access, map the root UID to the specified
 262 user id.
 263 .RE
 264 
 265 .sp
 266 .ne 2
 267 .na
 268 \fB\fBrw\fR\fR
 269 .ad
 270 .sp .6
 271 .RS 4n
 272 Sharing is read-write to all clients.
 273 .RE
 274 
 275 .sp
 276 .ne 2
 277 .na
 278 \fB\fBrw=\fR\fIaccess_list\fR\fR
 279 .ad
 280 .sp .6
 281 .RS 4n
 282 Sharing is read-write to the clients listed in \fIaccess_list\fR; overrides the
 283 \fBro\fR suboption for the clients specified. See \fIaccess_list\fR below.
 284 .RE
 285 
 286 .sp
 287 .ne 2
 288 .na
 289 \fB\fBsec=\fR\fImode\fR[\fB:\fR\fImode\fR].\|.\|.\fR
 290 .ad
 291 .sp .6
 292 .RS 4n
 293 Sharing uses one or more of the specified security modes. The \fImode\fR in the
 294 \fBsec=\fR\fImode\fR option must be a node name supported on the client. If the
 295 \fBsec=\fR option is not specified, the default security mode used is
 296 \fBAUTH_SYS.\fR Multiple \fBsec=\fR options can be specified on the command
 297 line, although each mode can appear only once. The security modes are defined
 298 in \fBnfssec\fR(5).
 299 .sp
 300 Each \fBsec=\fR option specifies modes that apply to any subsequent \fBwindow=,
 301 rw, ro, rw=, ro=\fR and \fBroot=\fR options that are provided before another
 302 \fBsec=\fRoption. Each additional \fBsec=\fR resets the security mode context,
 303 so that more \fBwindow=,\fR \fBrw,\fR \fBro,\fR \fBrw=,\fR \fBro=\fR and
 304 \fBroot=\fR options can be supplied for additional modes.
 305 .RE
 306 
 307 .sp
 308 .ne 2
 309 .na
 310 \fB\fBsec=\fR\fInone\fR\fR
 311 .ad
 312 .sp .6
 313 .RS 4n
 314 If the option \fBsec=\fR\fInone\fR is specified when the client uses
 315 \fBAUTH_NONE,\fR or if the client uses a security mode that is not one that the
 316 file system is shared with, then the credential of each \fBNFS\fR request is
 317 treated as unauthenticated. See the \fBanon=\fR\fIuid\fR option for a
 318 description of how unauthenticated requests are handled.
 319 .RE
 320 
 321 .sp
 322 .ne 2
 323 .na
 324 \fB\fBsecure\fR\fR
 325 .ad
 326 .sp .6
 327 .RS 4n
 328 This option has been deprecated in favor of the \fBsec=\fR\fIdh\fR option.
 329 .RE
 330 
 331 .sp
 332 .ne 2
 333 .na
 334 \fB\fBwindow=\fR\fIvalue\fR\fR
 335 .ad
 336 .sp .6
 337 .RS 4n
 338 When sharing with \fBsec=\fR\fIdh\fR, set the maximum life time (in seconds) of
 339 the \fBRPC\fR request's credential (in the authentication header) that the
 340 \fBNFS\fR server allows. If a credential arrives with a life time larger than
 341 what is allowed, the \fBNFS\fR server rejects the request. The default value is
 342 30000 seconds (8.3 hours).
 343 .RE
 344 
 345 .RE
 346 
 347 .SS "\fIaccess_list\fR"
 348 .sp
 349 .LP
 350 The \fIaccess_list\fR argument is a colon-separated list whose components may
 351 be any number of the following:
 352 .sp
 353 .ne 2
 354 .na
 355 \fBhostname\fR
 356 .ad
 357 .sp .6
 358 .RS 4n
 359 The name of a host. With a server configured for \fBDNS\fR or \fBLDAP\fR naming
 360 in the \fBnsswitch\fR "hosts" entry, any hostname must be represented as a
 361 fully qualified \fBDNS\fR or \fBLDAP\fR name.
 362 .RE
 363 
 364 .sp
 365 .ne 2
 366 .na
 367 \fBnetgroup\fR
 368 .ad
 369 .sp .6
 370 .RS 4n
 371 A netgroup contains a number of hostnames. With a server configured for
 372 \fBDNS\fR or \fBLDAP\fR naming in the \fBnsswitch\fR "hosts" entry, any
 373 hostname in a netgroup must be represented as a fully qualified \fBDNS\fR or
 374 \fBLDAP\fR name.
 375 .RE
 376 
 377 .sp
 378 .ne 2
 379 .na
 380 \fBdomain name suffix\fR
 381 .ad
 382 .sp .6
 383 .RS 4n
 384 To use domain membership the server must use \fBDNS\fR or \fBLDAP\fR to resolve
 385 hostnames to \fBIP\fR addresses; that is, the "hosts" entry in the
 386 \fB/etc/nsswitch.conf\fR must specify "dns" or "ldap" ahead of "nis" or
 387 "nisplus", since only \fBDNS\fR and \fBLDAP\fR return the full domain name of
 388 the host. Other name services like \fBNIS\fR or \fBNIS+\fR cannot be used to
 389 resolve hostnames on the server because when mapping an \fBIP\fR address to a
 390 hostname they do not return domain information. For example,
 391 .sp
 392 .in +2
 393 .nf
 394 NIS or NIS+   172.16.45.9 --> "myhost"
 395 .fi
 396 .in -2
 397 .sp
 398 
 399 and
 400 .sp
 401 .in +2
 402 .nf
 403 DNS or LDAP   172.16.45.9 -->
 404      "myhost.mydomain.mycompany.com"
 405 .fi
 406 .in -2
 407 .sp
 408 
 409 The domain name suffix is distinguished from hostnames and netgroups by a
 410 prefixed dot. For example,
 411 .sp
 412 \fBrw=.mydomain.mycompany.com\fR
 413 .sp
 414 A single dot can be used to match a hostname with no suffix. For example,
 415 .sp
 416 \fBrw=.\fR
 417 .sp
 418 matches "mydomain" but not "mydomain.mycompany.com". This feature can be used
 419 to match hosts resolved through \fBNIS\fR and \fBNIS+\fR rather than \fBDNS\fR
 420 and \fBLDAP\fR.
 421 .RE
 422 
 423 .sp
 424 .ne 2
 425 .na
 426 \fBnetwork\fR
 427 .ad
 428 .sp .6
 429 .RS 4n
 430 The network or subnet component is preceded by an at-sign (\fB@\fR). It can be
 431 either a name or a dotted address. If a name, it is converted to a dotted
 432 address by \fBgetnetbyname\fR(3SOCKET). For example,
 433 .sp
 434 \fB=@mynet\fR
 435 .sp
 436 would be equivalent to:
 437 .sp
 438 \fB=@172.16\fR or \fB=@172.16.0.0\fR
 439 .sp
 440 The network prefix assumes an octet-aligned netmask determined from the zeroth
 441 octet in the low-order part of the address up to and including the high-order
 442 octet, if you want to specify a single IP address (see below). In the case
 443 where network prefixes are not byte-aligned, the syntax allows a mask length to
 444 be specified explicitly following a slash (\fB/\fR) delimiter. For example,
 445 .sp
 446 \fB=@theothernet/17\fR or \fB=@172.16.132/22\fR
 447 .sp
 448 \&...where the mask is the number of leftmost contiguous significant bits in
 449 the corresponding IP address.
 450 .sp
 451 When specifying individual IP addresses, use the same \fB@\fR notation
 452 described above, without a netmask specification. For example:
 453 .sp
 454 .in +2
 455 .nf
 456 =@172.16.132.14
 457 .fi
 458 .in -2
 459 .sp
 460 
 461 Multiple, individual IP addresses would be specified, for example, as:
 462 .sp
 463 .in +2
 464 .nf
 465 root=@172.16.132.20:@172.16.134.20
 466 .fi
 467 .in -2
 468 .sp
 469 
 470 .RE
 471 
 472 .sp
 473 .LP
 474 A prefixed minus sign (\fB\(mi\fR) denies access to that component of
 475 \fIaccess_list\fR. The list is searched sequentially until a match is found
 476 that either grants or denies access, or until the end of the list is reached.
 477 For example, if host "terra" is in the "engineering" netgroup, then
 478 .sp
 479 .in +2
 480 .nf
 481 rw=-terra:engineering
 482 .fi
 483 .in -2
 484 .sp
 485 
 486 .sp
 487 .LP
 488 denies access to \fBterra\fR but
 489 .sp
 490 .in +2
 491 .nf
 492 rw=engineering:-terra
 493 .fi
 494 .in -2
 495 .sp
 496 
 497 .sp
 498 .LP
 499 grants access to \fBterra\fR.
 500 .SH OPERANDS
 501 .sp
 502 .LP
 503 The following operands are supported:
 504 .sp
 505 .ne 2
 506 .na
 507 \fB\fIpathname\fR\fR
 508 .ad
 509 .sp .6
 510 .RS 4n
 511 The pathname of the file system to be shared.
 512 .RE
 513 
 514 .SH EXAMPLES
 515 .LP
 516 \fBExample 1 \fRSharing A File System With Logging Enabled
 517 .sp
 518 .LP
 519 The following example shows the \fB/export\fR file system shared with logging
 520 enabled:
 521 
 522 .sp
 523 .in +2
 524 .nf
 525 example% \fBshare -o log /export\fR
 526 .fi
 527 .in -2
 528 .sp
 529 
 530 .sp
 531 .LP
 532 The default global logging parameters are used since no tag identifier is
 533 specified. The location of the log file, as well as the necessary logging work
 534 files, is specified by the global entry in \fB/etc/nfs/nfslog.conf\fR. The
 535 \fBnfslogd\fR(1M) daemon runs only if at least one file system entry in
 536 \fB/etc/dfs/dfstab\fR is shared with logging enabled upon starting or rebooting
 537 the system. Simply sharing a file system with logging enabled from the command
 538 line does not start the \fBnfslogd\fR(1M).
 539 
 540 .SH EXIT STATUS
 541 .sp
 542 .LP
 543 The following exit values are returned:
 544 .sp
 545 .ne 2
 546 .na
 547 \fB\fB0\fR\fR
 548 .ad
 549 .sp .6
 550 .RS 4n
 551 Successful completion.
 552 .RE
 553 
 554 .sp
 555 .ne 2
 556 .na
 557 \fB\fB>0\fR\fR
 558 .ad
 559 .sp .6
 560 .RS 4n
 561 An error occurred.
 562 .RE
 563 
 564 .SH FILES
 565 .sp
 566 .ne 2
 567 .na
 568 \fB\fB/etc/dfs/fstypes\fR\fR
 569 .ad
 570 .sp .6
 571 .RS 4n
 572 list of system types, \fBNFS\fR by default
 573 .RE
 574 
 575 .sp
 576 .ne 2
 577 .na
 578 \fB\fB/etc/dfs/sharetab\fR\fR
 579 .ad
 580 .sp .6
 581 .RS 4n
 582 system record of shared file systems
 583 .RE
 584 
 585 .sp
 586 .ne 2
 587 .na
 588 \fB\fB/etc/nfs/nfslogtab\fR\fR
 589 .ad
 590 .sp .6
 591 .RS 4n
 592 system record of logged file systems
 593 .RE
 594 
 595 .sp
 596 .ne 2
 597 .na
 598 \fB\fB/etc/nfs/nfslog.conf\fR\fR
 599 .ad
 600 .sp .6
 601 .RS 4n
 602 logging configuration file
 603 .RE
 604 
 605 .SH SEE ALSO
 606 .sp
 607 .LP
 608 \fBmount\fR(1M), \fBmountd\fR(1M), \fBnfsd\fR(1M), \fBnfslogd\fR(1M),
 609 \fBshare\fR(1M), \fBunshare\fR(1M), \fBgetnetbyname\fR(3SOCKET),
 610 \fBnfslog.conf\fR(4), \fBnetgroup\fR(4), \fBattributes\fR(5), \fBnfssec\fR(5)
 611 .SH NOTES
 612 .sp
 613 .LP
 614 If the \fBsec=\fR option is presented at least once, all uses of the
 615 \fBwindow=,\fR \fBrw,\fR \fBro,\fR \fBrw=,\fR \fBro=\fR and \fBroot=\fR options
 616 must come \fBafter\fR the first \fBsec=\fR option. If the \fBsec=\fR option is
 617 not presented, then \fBsec=\fR\fIsys\fR is implied.
 618 .sp
 619 .LP
 620 If one or more explicit \fBsec=\fR options are presented, \fIsys\fR must appear
 621 in one of the options mode lists for accessing using the \fBAUTH_SYS\fR
 622 security mode to be allowed. For example:
 623 .sp
 624 .in +2
 625 .nf
 626 \fBshare\fR \fB-F\fR \fBnfs /var\fR
 627 \fBshare\fR \fB-F\fR \fBnfs\fR \fB-o\fR \fBsec=sys /var\fR
 628 .fi
 629 .in -2
 630 .sp
 631 
 632 .sp
 633 .LP
 634 grants read-write access to any host using \fBAUTH_SYS,\fR but
 635 .sp
 636 .in +2
 637 .nf
 638 \fBshare\fR \fB-F\fR \fBnfs\fR \fB-o\fR \fBsec=dh /var\fR
 639 .fi
 640 .in -2
 641 .sp
 642 
 643 .sp
 644 .LP
 645 grants no access to clients that use \fBAUTH_SYS.\fR
 646 .sp
 647 .LP
 648 Unlike previous implementations of \fBshare_nfs\fR, access checking for the
 649 \fBwindow=, rw, ro, rw=,\fR and \fBro=\fR options is done per \fBNFS\fR
 650 request, instead of per mount request.
 651 .sp
 652 .LP
 653 Combining multiple security modes can be a security hole in situations where
 654 the \fBro=\fR and \fBrw=\fR options are used to control access to weaker
 655 security modes. In this example,
 656 .sp
 657 .in +2
 658 .nf
 659 \fBshare\fR \fB-F\fR \fBnfs\fR \fB-o\fR \fBsec=dh,rw,sec=sys,rw=hosta /var\fR
 660 .fi
 661 .in -2
 662 .sp
 663 
 664 .sp
 665 .LP
 666 an intruder can forge the IP address for \fBhosta\fR (albeit on each \fBNFS\fR
 667 request) to side-step the stronger controls of \fBAUTH_DES.\fR Something like:
 668 .sp
 669 .in +2
 670 .nf
 671 \fBshare\fR \fB-F\fR \fBnfs\fR \fB-o\fR \fBsec=dh,rw,sec=sys,ro /var\fR
 672 .fi
 673 .in -2
 674 .sp
 675 
 676 .sp
 677 .LP
 678 is safer, because any client (intruder or legitimate) that avoids
 679 \fBAUTH_DES\fR only gets read-only access. In general, multiple security modes
 680 per \fBshare\fR command should only be used in situations where the clients
 681 using more secure modes get stronger access than clients using less secure
 682 modes.
 683 .sp
 684 .LP
 685 If \fBrw=,\fR and \fBro=\fR options are specified in the same \fBsec=\fR
 686 clause, and a client is in both lists, the order of the two options determines
 687 the access the client gets. If client \fBhosta\fR is in two netgroups -
 688 \fBgroup1\fR and \fBgroup2\fR - in this example, the client would get read-only
 689 access:
 690 .sp
 691 .in +2
 692 .nf
 693 \fBshare\fR \fB-F\fR \fBnfs\fR \fB-o\fR \fBro=group1,rw=group2 /var\fR
 694 .fi
 695 .in -2
 696 .sp
 697 
 698 .sp
 699 .LP
 700 In this example \fBhosta\fR would get read-write access:
 701 .sp
 702 .in +2
 703 .nf
 704 \fBshare\fR \fB-F\fR \fBnfs\fR \fB-o\fR \fBrw=group2,ro=group1 /var\fR
 705 .fi
 706 .in -2
 707 .sp
 708 
 709 .sp
 710 .LP
 711 If within a \fBsec=\fR clause, both the \fBro\fR and \fBrw=\fR options are
 712 specified, for compatibility, the order of the options rule is not enforced.
 713 All hosts would get read-only access, with the exception to those in the
 714 read-write list. Likewise, if the \fBro=\fR and \fBrw\fR options are specified,
 715 all hosts get read-write access with the exceptions of those in the read-only
 716 list.
 717 .sp
 718 .LP
 719 The \fBro=\fR and \fBrw=\fR options are guaranteed to work over \fBUDP\fR and
 720 \fBTCP\fR but may not work over other transport providers.
 721 .sp
 722 .LP
 723 The \fBroot=\fR option with \fBAUTH_SYS\fR is guaranteed to work over \fBUDP\fR
 724 and \fBTCP\fR but may not work over other transport providers.
 725 .sp
 726 .LP
 727 The \fBroot=\fR option with \fBAUTH_DES\fR is guaranteed to work over any
 728 transport provider.
 729 .sp
 730 .LP
 731 There are no interactions between the \fBroot=\fR option and the \fBrw, ro,
 732 rw=,\fR and \fBro=\fR options. Putting a host in the \fBroot\fR list does not
 733 override the semantics of the other options. The access the host gets is the
 734 same as when the \fBroot=\fR options is absent. For example, the following
 735 \fBshare\fR command denies access to \fBhostb:\fR
 736 .sp
 737 .in +2
 738 .nf
 739 \fBshare\fR \fB-F\fR \fBnfs\fR \fB-o\fR \fBro=hosta,root=hostb /var\fR
 740 .fi
 741 .in -2
 742 .sp
 743 
 744 .sp
 745 .LP
 746 The following gives read-only permissions to \fBhostb:\fR
 747 .sp
 748 .in +2
 749 .nf
 750 \fBshare\fR \fB-F\fR \fBnfs\fR \fB-o\fR \fBro=hostb,root=hostb /var\fR
 751 .fi
 752 .in -2
 753 .sp
 754 
 755 .sp
 756 .LP
 757 The following gives read-write permissions to \fBhostb:\fR
 758 .sp
 759 .in +2
 760 .nf
 761 \fBshare\fR \fB-F\fR \fBnfs\fR \fB-o\fR \fBro=hosta,rw=hostb,root=hostb /var\fR
 762 .fi
 763 .in -2
 764 .sp
 765 
 766 .sp
 767 .LP
 768 If the file system being shared is a symbolic link to a valid pathname, the
 769 canonical path (the path which the symbolic link follows) are shared. For
 770 example, if \fB/export/foo\fR is a symbolic link to \fB/export/bar\fR
 771 (\fB/export/foo -> /export/bar\fR), the following \fBshare\fR command results
 772 in \fB/export/bar\fR as the shared pathname (and not \fB/export/foo\fR).
 773 .sp
 774 .in +2
 775 .nf
 776 \fBexample# share\fR \fB-F\fR \fBnfs /export/foo\fR
 777 .fi
 778 .in -2
 779 .sp
 780 
 781 .sp
 782 .LP
 783 An \fBNFS\fR mount of \fBserver:/export/foo\fR results in
 784 \fBserver:/export/bar\fR really being mounted.
 785 .sp
 786 .LP
 787 This line in the \fB/etc/dfs/dfstab\fR file shares the \fB/disk\fR file system
 788 read-only at boot time:
 789 .sp
 790 .in +2
 791 .nf
 792 \fBshare\fR \fB-F\fR \fBnfs\fR \fB-o\fR \fBro /disk\fR
 793 .fi
 794 .in -2
 795 .sp
 796 
 797 .sp
 798 .LP
 799 The same command entered from the command line does not share the \fB/disk\fR
 800 file system unless there is at least one file system entry in the
 801 \fB/etc/dfs/dfstab\fR file. The \fBmountd\fR(1M) and \fBnfsd\fR(1M) daemons
 802 only run if there is a file system entry in \fB/etc/dfs/dfstab\fR when starting
 803 or rebooting the system.
 804 .sp
 805 .LP
 806 The \fBmountd\fR(1M) process allows the processing of a path name the contains
 807 a symbolic link. This allows the processing of paths that are not themselves
 808 explicitly shared with \fBshare_nfs\fR. For example, \fB/export/foo\fR might be
 809 a symbolic link that refers to \fB/export/bar\fR which has been specifically
 810 shared. When the client mounts \fB/export/foo\fR the \fBmountd\fR processing
 811 follows the symbolic link and responds with the \fB/export/bar\fR. The NFS
 812 Version 4 protocol does not use the \fBmountd\fR processing and the client's
 813 use of \fB/export/foo\fR does not work as it does with NFS Version 2 and
 814 Version 3 and the client receives an error when attempting to mount
 815 \fB/export/foo\fR.